7 Common HIPAA Violations You Need to Avoid

We discussed in a prior post what exactly HIPAA (Health Insurance Portability and Accountability Act) is and how HIPAA regulations can affect your practice. Much of what goes into being HIPAA compliant comes down to common sense and being proactive in protecting patients’ protected health information (PHI).

With that in mind, it’s important to know how to avoid common violations and potentially heavy fines and court settlements.

Common HIPAA Violations

1. Lost or Stolen Devices

This is probably one of the easiest ways to draw a HIPAA violation. The average American owns roughly three connected devices (including mobile devices), not counting devices supplied by their employer.

While for most employees losing a work device can result in a tongue lashing from IT, for healthcare providers, losing a device with PHI can result in major trouble.

3. Dishonest Employees

The human element, on the other hand, can be quite unpredictable – especially with identity theft or fraud being as prevalent as jaywalking.

Medical records are a prime source for sensitive patient information that can be used to steal a victim’s identity including social security numbers, addresses, family members and financial information.

4. Hacking

While hacking may be considered an inevitable risk for a world that grows ever more dependent on sharing and storing information digitally, not taking all the proper and available steps to avoid becoming a victim of a data breach simply ensures the worst case scenario.

Complex passwords, firewalls, updated software and anti-virus programs and encrypted data transfers are the easiest way to avoid being a victim of stolen medical information or unauthorized access.

5. Improper Disposal

Maintaining medical records is only half the job. Making sure that patient information and patient data are disposed of in a manner that they cannot be retrieved by ne’er do wells is extremely important.

Shredding documents, and securely deleting devices that have a hard drive (don’t forget your office printer) are an absolute must when it comes to maintaining document integrity and keeping private health information private.

6. Unauthorized Disposal

This violation is a more common occurrence when the patient is a person of note. Leaking PHI to the media can be an easy way for someone to make a sizable sum of money quickly.

Bottom line, if a patient hasn’t signed an authorization form, their medical status had best stay under lock and key.

Medical staffs also need to be careful not to leak PHI verbally or through social media either. Even passing conversation about a patient’s history is a violation of HIPAA code, especially if you consider how a little gossip can spread like wildfire.

Remember that while it’s fun to have the cool story at the water cooler, it’s not worth having to pay a six figure settlement.

7. Third Party Disclosure

This is your good old fashioned “guilt by association” statute.

Most every medical practice will have to subcontract at some point. Thanks to HIPAA’s Common Agency Provision, your subcontractor’s violations are your violations as well when it comes to any patient health information that you supply that they let slip through the cracks.

Before you agree to contract a third party service, make sure to review their compliance plans and their privacy policies. It could cost you your practice.

Ultimately, avoiding HIPAA violations requires a certain amount of diligence. Performing regular HIPAA compliance checks is key to avoiding violations as well as following general best practices and monitoring workflows to prevent mistakes.